Exploiting Clickfix: AMOS macOS Stealer Evades Security to Deploy Malicious Code

A newly uncovered campaign involving an Atomic macOS Stealer (AMOS) variant has emerged, showcasing the evolving sophistication of multi-platform social engineering attacks.

This campaign, discovered during routine attacker infrastructure analysis, leverages typo-squatted domains mimicking Spectrum, a prominent U.S.-based telecommunications provider offering cable television, internet, and managed services.

By employing the Clickfix method, attackers deliver tailored payloads based on the victim’s operating system, with macOS users specifically targeted by a malicious shell script designed to harvest system passwords and deploy an AMOS variant for deeper exploitation.

This operation, marked by Russian-language comments in the source code, points to the likely involvement of Russian-speaking cybercriminals, while its poorly implemented delivery logic reveals a hastily constructed yet dangerous infrastructure.

Deceptive Delivery

The attack begins with victims being lured to typo-squatted domains such as panel-spectrum[.]net and spectrum-ticket[.]net, where they are ...